Share this story

Update 7:23pm ET: As this post was being reported, Zoom developers reversed their previous position and issued an update that changes the contested behavior.

"Initially, we did not see the Web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process," Zoom's Jonathan Farley wrote. "But in hearing the outcry from our users in the past 24 hours, we have decided to make the updates to our service."

The update makes the following changes:

complete removal of the local Web server and

an addition to the menu that allows users to remove the app

Zoom developers also added new details about a previously mentioned update, which is now scheduled for Friday. It will

allow returning users to update their video preferences and make video OFF by default at any time through the Zoom client settings

What follows is the story as it ran earlier:

One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop. If the webcam is covered by tape or a sticker, they likely are. A recently published report on the Zoom conferencing application for Macs underscores why this practice makes sense.

Researcher Jonathan Leitschuh reported on Monday that, in certain cases, websites can automatically cause visitors to join calls with their cameras turned on. It's not hard to imagine this being a problem for people in their bathrobes or in the middle of a sensitive business conference since a malicious link would give no warning in advance it will open Zoom and broadcast whatever is in view of the camera.

Zoom developers almost certainly intended the behavior to make it easier to use the Web conferencing app. But unless users have properly tweaked their settings in advance, Lietschuh's findings show how miscreants can turn this ease-of-use against unwitting users. A proof-of-concept exploit is available here, but reader be warned: depending on your Zoom settings, your webcam may soon be transmitting whatever it sees to perfect strangers.

"This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission," Leitschuh wrote.

Leitschuh is mostly correct there. Clicking the link will automatically open Zoom and join a call. But as mentioned earlier, video is collected only when Zoom is configured to begin conferences with a camera turned on. Some media reports and social media commentators have said this behavior allows websites to "hijack" a Mac webcam. I'd argue that's a stretch since (1) it's fairly obvious that Zoom is opening and broadcasting whatever the camera sees and (2) it's easy to immediately leave the conference or simply turn off the camera.

What's more, preventing the video grab involves a one-time click to a box in the Zoom preferences that keeps video turned off when joining a video. But user beware: even when this setting is on, sites still can force Macs to open Zoom and join a conference.

That's not to say the threat Leitschuh disclosed is mere handwaving. It's not. But it underscores the near-impossible balancing act developers must strike. Make a feature too hard to use and people will move to a competing product. Make it too easy and attackers may abuse it to do bad things the developer never imagined.

In this case, Zoom developers should have warned that the ability to automatically join a conference with video turned on was a powerful feature that could be used to compromise users' privacy. Instead, the developers left it up to users to decide with no up-front guidance. (By contrast, audio is automatically turned off when joining a Zoom conference.) In other words, Zoom developers made this automatic webcam joining way too easy. In retrospect, thanks to Leitschuh's post, that's easy to see.

In a response to Leitschuh's disclosure Zoom's Richard Farley said the company will roll out an update this month that will "apply and save the user's video preference from their first Zoom meeting to all future Zoom meetings." Farley didn't say if Zoom will provide the guidance many users will need to make an informed choice.

An always-on webserver

Leitschuh's research uncovered another behavior by Zoom for Mac that is also unsettling to security-conscious people. The app installs a webserver that accepts queries from other devices connected to the same local network. This server continues to run even when a Mac user uninstalls Zoom. Leitschuh showed how this webserver can be abused by people on the same network to force Macs to reinstall the app.

This clearly isn't good. While the webserver is only accessible to devices on the same network, that still exposes people using untrusted networks. And if hackers were ever to come across a code-execution vulnerability in the webserver, the potential for abuse is even higher. Farley said Zoom introduced the webserver as a way to work around a change introduced in Safari 12 that requires users confirm with a click each time they want to start the Zoom app prior to joining a meeting.

"We feel that this is a legitimate solution to a poor user-experience problem, enabling our users to have faster, one-click-to-join meetings," Farley wrote. "We are not alone among video-conferencing providers in implementing this solution."

Convenience is the enemy of security

As is the case with the auto-on webcam when joining meetings, Zoom's implementation of a webserver is a convenience that comes at the potential cost of security. Neither behavior represents a critical vulnerability, but they do suggest Zoom developers could do more to lock down the Mac version of their app, particularly for users who may have less awareness of security issues.

And this is where precautions such as tape over a webcam come in. Users can never be sure developers have adequately safeguarded their apps against hacks or abuse, so the responsibility falls on end users to compensate. Other ways to protect against abuses of Zoom or other Web conference software is to use an app such as Little Snitch and configure it to give the conferencing software Internet access for only limited amounts of time. Another self-help protection is to configure macOS so that Zoom only has access to the webcam at specific times when it's needed.

Promoted Comments

I was turned off the software from the start, since their Mac OS .pkg installer used the preinstall scripts to download and install the software, and didn't deploy any actual OS packages. This was strike one for me.

Strike two was how insistent they are about installing their persistent desktop client. Nobody needs to bug me that much to install it. It just screams shady behaviour. Not to mention how crappy their desktop client is. It feels like a rushed Windows app ported to Mac OS by inexperienced developers.

Note that if you get Zoom meetings frequently, you do not have to install their client to join them. Every Zoom link also allows you to join the meeting from the browser, with completely zero downsides. No installation required. Full webcam and audio.

Farley said Zoom introduced the webserver as a way to work around a change introduced in Safari 12 that requires users confirm with a click each time they want to start the Zoom app prior to joining a meeting.

So basically they are maliciously circumventing an intentional security feature of the OS/browser. Apple should blacklist their app and prevent it from running until they remove the web server and play by the rules.

Leitschuh's research uncovered another behavior by Zoom for Mac that is also unsettling to security-conscious people. The app installs a webserver that accepts queries from other devices connected to the same local network. This server continues to run even when a Mac user uninstalls Zoom

One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop

I take a little exception at this... the view from my webcam is the LAST thing I'm worried about in computer security. I regularly see users with tape over their webcams, blissfully browsing facebook and instagram, typing passwords with one finger, and walking away from their unlocked consoles. Tape over the webcam is security theater at it's finest. If ever I get blackmailed, it will be for what's on my screen, not what's in front of it.

One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop

I take a little exception at this... the view from my webcam is the LAST thing I'm worried about in computer security. I regularly see users with tape over their webcams, blissfully browsing facebook and instagram, typing passwords with one finger, and walking away from their unlocked consoles. Tape over the webcam is security theater at it's finest. If ever I get blackmailed, it will be for what's on my screen, not what's in front of it.

Why not both?

While I agree the biggest threat is APT (Advanced persistent threat, call it rootkit or whatever) not just on your PC but a server you may be connecting to also, because that could cost you your financial identity or bank account balance, but seriously a view into your house exploitable by some creep on the internet? Heck no.

Farley said Zoom introduced the webserver as a way to work around a change introduced in Safari 12 that requires users confirm with a click each time they want to start the Zoom app prior to joining a meeting.

It should be more than a little disturbing that Zoom is admitting it decided to bypass a security decision Apple made for its browser.

I take computer security very seriously. I keep my software up-to-date, I use Noscript, I generate long random keys to use instead of passwords, et cetera. I do not put tape over any cameras.

If intruders would get into my computer, then I expect that they'd be much more interested in nabbing various files, including crypto keys, than in watching my face as I'm looking at the screen. My sensitive data are stored on the disk, not written on my forehead.

So the webserver is an executable hidden in the user's home directory. It hangs around even if the user deletes the app from /Applications. That's useful information I wish was included in the article. Next question, is it persistent or does it just die next time the Mac is rebooted? I wonder if there is a LaunchAgent that should be cleaned up too.

So the webserver is an executable hidden in the user's home directory. It hangs around even if the user deletes the app from /Applications. That's useful information I wish was included in the article. Next question, is it persistent or does it just die next time the Mac is rebooted? I wonder if there is a LaunchAgent that should be cleaned up too.

I take computer security very seriously. I keep my software up-to-date, I use Noscript, I generate long random keys to use instead of passwords, et cetera. I do not put tape over any cameras.

If intruders would get into my computer, then I expect that they'd be much more interested in nabbing various files, including crypto keys, than in watching my face as I'm looking at the screen. My sensitive data are stored on the disk, not written on my forehead.

They could use the camera to see you type a password on another device in that same room, no?

Once they're in my computer they'd have better luck with a keylogger tapping all the passphrases I type on the same device.

One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop

I take a little exception at this... the view from my webcam is the LAST thing I'm worried about in computer security. I regularly see users with tape over their webcams, blissfully browsing facebook and instagram, typing passwords with one finger, and walking away from their unlocked consoles. Tape over the webcam is security theater at it's finest. If ever I get blackmailed, it will be for what's on my screen, not what's in front of it.

And I take exception to your exception. Simply because some people commit "Stupid-level-8" while protecting themselves from "Stupid-level-6", doesn’t make the latter theater.

Leitschuh's research uncovered another behavior by Zoom for Mac that is also unsettling to security-conscious people. The app installs a webserver that accepts queries from other devices connected to the same local network. This server continues to run even when a Mac user uninstalls Zoom. Leitschuh showed how this webserver can be abused by people on the same network to force Macs to reinstall the app.

My reaction to discovering that the duhvelopers guilty of codemonkeying the latest version of the PG Admin tool (gui admin for postgress database) had decided that maintaining an actual desktop application was too hard and that it was a better idea to install a web server so I could poke around around the database in my browser was a solid minute of profanity.

Doing this to circumvent OS security features is an order of magnitude more obscene.

PGadmin was at least open enough about what it's doing that any reasonably technically apt person would realize how it works, and there're enough hardcore geeks in its userbase I'm fairly comfortable that it doesn't have any facepalm worthy security flaws.

I tried the example on Leitschuh's post. I've also used Zoom screen sharing with clients before, but no video, so not positive the entire Zoom client was installed.

Clicking the link brought up something like five dialog boxes (including macOS asking if I wanted Zoom to use the camera, which I allowed) before the camera light went on. When I left the Zoom meeting, it told me the Zoom update was available.

If I’m remembering correctly, for a long time Macs have had the camera indicator light hardwired to the camera so the light will always be on if the camera is operating since the light is not controlled by firmware or software. That’s why I don’t bother taping over it. Though I’m willing to risk a quick peek, while others might not.

I have heard in the past of instances where laptops didn’t have the light hardwired so they could be hacked to turn on the camera without the light coming on. In that case, or if there was no indicator light at all, I would definitely tape over the camera.